Tag Archives: release

Paul Biron 8:47 pm on July 19, 2018
Tags: , release   

WordPress 4.9.8 Beta 2

second beta package for 4.9.8 has been released and is now available for testing. Please help test this beta version to ensure everything works as expected.

This package contains 1 blessed task, 3 bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. fixes and 3 enhancementenhancement Enhancements are simple improvements to WordPress, such as the addition of a hook, a new feature, or an improvement to an existing feature. since the first beta. This brings the total number of bug fixes in 4.9.8 to 25, enhancements to 11 and blessed tasks to 3.

Important Note: This second betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. includes the “Try GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/” callout.

The release candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). is scheduled for Tuesday, July 24th  and final release is scheduled for Tuesday, July 31st.

Blessed Tasks

A full list of blessed tasks in 4.9.8 Beta 2 can be found on Trac.

The tickets listed below are only those committed since Beta 1 was released.

Editor

  • #41316 – Introduce “Try Gutenberg” callout

Bug Fixes

A full list of bugs fixed in 4.9.8 Beta 2 can be found on Trac.

The tickets listed below are only those committed since Beta 1 was released.

I18Ni18n Internationalization, or the act of writing and preparing code to be fully translatable into other languages. Also see localization. Often written with a lowercase i so it is not confused with a lowercase L or the numeral 1. Often an acquired skill.

  • #44574 – Saratov and other cities missing from translations

Privacy

  • #44192 – Title of Privacy Policy Page not used on login page
  • #44130 – Mixed Case of Privacy Policy on Privacy Settings page

Enhancements

A full list of enhancements in 4.9.8 Beta 2 can be found on Trac.

The tickets listed below are only those committed since Beta 1 was released.

Options, MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. APIs

  • #38323 – Reconsider $object_subtype handling in `register_meta()`

Privacy

  • #43967 – Adminadmin (and super admin) emails after email confirmation don’t work for data privacy requests
  • #44612 – Grammar – Missing ‘a’ in ‘select new Privacy Policy page’

#4-9-8, #release

Paul Biron 9:21 pm on July 17, 2018
Tags: , release   

WordPress 4.9.8 Beta 1

It’s that time again, we have a new beta release package for 4.9.8, and we’d love your help testing it out. It’s important to make sure that a release is fully tested and bugs are squashed. If you’re new (or it’s been a while) you can checkout the guide for helping to test a betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. version.

This beta release contains 21 bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. fixes, 9 enhancements and 2 blessed tasks. The purpose of this release has been to focus on additional enhancements for privacy in WordPress (following up on the tremendous work done for 4.9.6), as well as adding a callout to try the new Gutenberg editing experience.

The work being done to introduce the “Try GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/” callout (#41316) is still in progress, and as such hasn’t been included in this first beta. Our plan (subject to change) is to release a second beta version once that’s ready, and once that hits we’ll ask for specific testing on the callout.

For the rest of the work, we’d love your help to make sure the enhancements and bug fixes are working as expected!

The release candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). is scheduled for Tuesday, July 24th, and the official release is scheduled for Tuesday, July 31st.

Bug Fixes

A full list of bugs fixed in 4.9.8 Beta can be found on Trac.

Bundled Theme

  • #44109 – TwentySeventeen backend editor: level 2 bulleted lists nested under numbered lists show numbers instead of bullets

Comments

  • #44141 – Privacy: Don’t replace comment author URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org and email with anything
  • #44342 – Commenter cookie consent message should not be displayed if the cookie action isn’t hooked

Customize

  • #44104 – Customize: Attempt to count uncountable value

Editor

  • #44341 – Replace _deprecated_function( ‘add_filter’ ) with apply_filters_deprecated()

Filesystem APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.

  • #43054 – wp_is_stream fails with stream definition containing nonascii chars

Login and Registration

  • #44052 – Missing parameter type for `login_header()`

Media

  • #43751 – REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.: Attachments controller should respect “Max upload file size” and “Site upload space” in multisitemultisite Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network, blog, site
  • #44532 – Extreme memory leak related to wp_is_stream in wp-includes/functions.php in WordPress 4.9.7

Privacy

  • #44099 – Add Request Type into Adminadmin (and super admin) Email Subject for GDPR
  • #44195 – “Silence is golden” index.htmlHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. generates output
  • #44265 – Add filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. for email subject for erasure complete notification
  • #44353 – Replace `site_url( ‘wp-login.php’ )` in `wp_send_user_request()`
  • #44379 – GDPR filters should provide either $request or $request_id
  • #44382 – Filter the subject within _wp_privacy_send_request_confirmation_notification
  • #44396 – Inconsistent use of blogname and sitename in Privacy emails
  • #44590 – Remove “// WPCSWPCS The collection of PHP_CodeSniffer rules (sniffs) used to format and validate PHP code developed for WordPress according to the WordPress Coding Standards. May also be an acronym referring to the Accessibility, PHP, JavaScript, CSS, HTML, etc. coding standards as published in the WordPress Coding Standards Handbook.:” comments

Rest API

  • #43874 – REST API: Only render fields specific to request when _fields= is used
  • #42691 – WP_Term_Query get_terms generates invalidinvalid A resolution on the bug tracker (and generally common in software development, sometimes also notabug) that indicates the ticket is not a bug, is a support request, or is generally invalid. sql queries
  • #44096 – REST API: TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies. and term endpoints should use correct permission checks
  • #44330 – TinyMCE: do not force-load external TinyMCE plugins

Enhancements

A full list of enhancements in 4.9.8 beta can be found on Trac.

Posts, Post Types

  • #36085 – Add action hook to get_inline_data()

Privacy

  • #44006 – Privacy Policy page should have suffix like other special pages
  • #44025 – Privacy: Pagination screen options for the requests list tables
  • #44100 – GDPR Privacy Page setting allows for Draft Pages
  • #44131 – If draft page selected for Privacy Policy page should verbiage change from view to preview
  • #44181 – The input field id username_or_email_to_export should be something else on remove_personal_data page
  • #44373 – Add a privacy setting to disable comment cookie consent
  • #44321 – REST API: Expose revision count and last revision ID on Post response
  • #44287 – REST API: Declare user capability to perform actions using JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. Hyper Schema `targetSchema`

Blessed Tasks

A full list of blessed tasks in 4.9.8 beta can be found on Trac.

Emoji

  • #44339 – Emoji: Update Twemoji to 11.0

TinyMCE

  • #44134 – Update to TinyMCE 4.7.13
    • See the TinyMCE changelog.  WP 4.9.6 included TinyMCE 4.7.11, WP 4.9.8 beta 1 updated to TinyMCE 4.8.0.

#4-9-8, #release

Jonathan Desrosiers 9:29 pm on May 15, 2018
Tags: , , release   

WordPress 4.9.6 Release Candidate 2

second release candidate package for 4.9.6 has been released and is now available for testing. Please help test this release candidate version to ensure everything works as expected.

This package contains 20 bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. fixes since the first release candidate. This brings the total number of bug fixes in 4.9.6 to 60 while the number of enhancements/feature requests remains at 34.

Note: With the introduction of #44091, any existing data export requests will need to be removed by an adminadmin (and super admin) and resubmitted.

Even more than usual, we need testers to help polish this release. This version (4.9.6) introduces the first round of tools that help WordPress site owners and admins meet the new requirements for user privacy regulations.

The official 4.9.6 release is scheduled for Thursday, May 17th.

Bug Fixes

A full list of bugs fixed in the 4.9.6 Release Candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). can be found on Trac. The tickets listed below are only those committed since RC1 was released.

Privacy

  • #44064 – Define $title and $parent_file in privacy.php
  • #44045 – GDPR WP Pointer dismiss link can be unreachable
  • #44050 – Privacy: Abandoned heading in WP_Privacy_Policy_Content::get_default_content()
  • #44048 – Privacy: exclude the wrapper from the default policy content
  • #44075 – GDPR inline documentation improvements
  • #44062 – Don’t show privacy feature pointer to new users
  • #44065 – Remove is-dismissible class from notice when privacy info has changed
  • #44057 – It’s not obvious what to do if menu bubble for policy update appears
  • #44056 – Fix markup for table of contents on privacy policy guide
  • #44076 – Add wp_page_for_privacy_policy to populate_options()
  • #44026 – Export and Erase Personal Data tables misaligned under 782px
  • #43491 – Automatically create a Privacy Policy page when installing WordPress
  • #44063 – Privacy policy guide: do not remove the “Suggested text has changed” bubble on saving the policy page
  • #44046 – GDPR Privacy Policy Link in wp-login.php page can overflow other links
  • #44055 – Don’t show notice to the privacy policy guide when user cannot view the guide
  • #44054 – Escape the comment link output in the wp_comments_personal_data_exporter() function.
  • #44093 – Proposed Adjustment to Privacy Settings buttons
  • #44092 – Export/Erase tools: CSSCSS Cascading Style Sheets. issues with next_steps buttons with some locales
  • #44091 – Rename exports folder to avoid deleting other files
  • #44079 – Require `manage_privacy_options` capability to edit the privacy policy page

A full list of all changes in 4.9.6 can also be found on Trac.

#4-9-6 #maintenance #release

Jonathan Desrosiers 10:39 pm on May 10, 2018
Tags: , , release   

WordPress 4.9.6 Release Candidate

The release candidate package for 4.9.6 has been released and is now available for testing. Please help test the release candidate version to ensure the version works as expected.

This package contains 30 bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. fixes since the betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.. This brings the total number of bug fixes in 4.9.6 to 40 while the number of enhancements/feature requests remains at 34.

Even more than usual, we need testers to help polish this release. This version (4.9.6) introduces the first round of tools that help WordPress site owners and admins meet the new requirements for user privacy regulations.

The official 4.9.6 release is scheduled for Thursday, May 17th.

Bug Fixes

A full list of bugs fixed in 4.9.6 Release Candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). can be found on Trac. The tickets listed below are only those committed since the beta was released.

Customize

  • #43945 – Missing closing button tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.) in ‘Live Preview’ button

General

  • #43934 – Missing doc for the user_request_key_expiration filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
  • #43951 – Typos in `WP_Privacy_Policy_Content::get_default_content()`
  • #44016 – user_request_action_email_content filter hook documentation inaccurate
  • #43583 – Account for SimpleXMLElement and `ResourceBundle` in is_countable()

Privacy

  • #43964 – “Email Data” button text – Make it more clear that an export link is sent, not the whole data
  • #43920 – Use the terms erase / erasure instead of remove / removal for personal data
  • #43905 – Personal data export link does not work
  • #43913 – On sending the personal data export email, the request should be marked COMPLETED
  • #43922 – Data removal/erasure requests don’t get marked as “Completed” after erasure happens
  • #44015 – Add `id` attribute to each row of privacy post list tables
  • #43852 – Fix spacing on responsive for Use This Page button in Privacy Tools
  • #43966 – Prioritize the User group in Personal Data Exports to right below the About group
  • #43968 – Add Request Type into Confirmation Email Subject for GDPR
  • #44023 – Remove help tab from settings privacy until we have something helpful to say
  • #43908 – Export keeps generating new .zip files on Windows installations
  • #43970 – Add request type to the confirmation confirmation page – GDPR
  • #43973 – Email user once removal request completed – GDPR
  • #44040 – Potential PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher notice in wp_ajax_wp_privacy_erase_personal_data()
  • #43954 – Showing the privacy policy adminadmin (and super admin) notice on all screens is intrusive
  • #43933 – Make the Privacy Policy page intro text shorter and more friendly
  • #43909 – Improve styling on personal data tables
  • #43967 – Admin emails after email confirmation don’t work for GDPR requests
  • #43961 – Privacy Policy popup covers collapsed admin menu
  • #43929 – Privacy pages: buttons should be buttons and other coding standards
  • #44031 – Add personal data export request ID to the wp_privacy_personal_data_export_file_created hook
  • #43980 – Consider outputting the suggested privacy policy content to a new page instead of a postbox
  • #44023 – Remove help tab from settings privacy until we have something helpful to say

TinyMCE

  • #43984 – Customize: JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. error when opening Text widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user.
  • #43969 – Custom themes will not work in TinyMCE 4.7

A full list of all changes in 4.9.6 can also be found on Trac.

#4-9-6 #maintenance #release

Pascal Birchler 5:49 pm on April 18, 2017
Tags: , , , release   

4.7.4 Release Candidate

After about six weeks of development, a Release Candidate for WordPress 4.7.4 is now available. This maintenance release fixes 46 issues reported against 4.7 and is scheduled for final release on Thursday, April 20, 2017.

Thus far WordPress 4.7 has been downloaded nearly 60 million times since its release on December 6, 2016. Please help us by testing this release candidate to ensure 4.7.4 fixes the reported issues and doesn’t introduce any new ones.

Notable Bug Fixes

There are a few more notable issues being addressed in this release. The first one is about broken video/audio thumbnails when uploading media (#40075). Additionally, an incompatibility between the upcoming Chrome version and the visual editor (#40305) has been solved by updating TinyMCE. Furthermore, the REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. saw some enhancements in relation to date handling (#39854, #40136).

All Changes

Here’s a list of all closed tickets, sorted by component:

Administration

  • #39983 – Consider to don’t use the CSSCSS Cascading Style Sheets. class button-link for controls that don’t look like links
  • #40056 – Shift-click to select a range of checkboxes isn’t working anymore since 4.7.3 update

Bootstrap/Load

  • #39445 – Add class_exists() check before defining the PasswordHash class

Build/Test Tools

  • #38500 – Automatically cancel pending Travis builds with each commit
  • #39219 – Add assertNotFalse method to WP_UnitTestCase.
  • #39367 – Don’t no-op $user_id in test suite’s wp_set_auth_cookie()
  • #39988 – The theme used during tests should call wp_head() and wp_footer()
  • #40066 – Remove the twentysixteen git clone from the Travis config
  • #40086 – Get Travis tests working again on PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher 7

Bundled Theme

  • #40216 – Twenty Seventeen: Some parts do not escape htmlHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. attributes
  • #40224 – Twenty Seventeen: navigation.js should be enqueued with jQuery as dependency
  • #40264 – Twenty Seventeen: Incorrect heading hierarchy for front page sections
  • #40461 – Twenty Seventeen: Bump version and update changelog

Customize

  • #31850CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. links should use canonical adminadmin (and super admin) URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org
  • #37471 – Widgets: If your theme only has one widgetWidget A WordPress Widget is a small block that performs a specific function. You can add these widgets in sidebars also known as widget-ready areas on your web page. WordPress widgets were originally created to provide a simple and easy-to-use way of giving design and structure control of the WordPress theme to the user. area, we should open it automatically
  • #38953 – Customize Menus: clicking outside of the available menu items panel does not close the panel
  • #39430 – sections and panels that are open and become inactive should be closed
  • #39770 – Client-side notification error is unexpectedly cleared when no corresponding server-side validation
  • #40010 – Template for site icon control fails to check if full image size exists before using
  • #40018 – Selective refresh always falls back to full refreshes when customizing the 404 template
  • #40112 – Can’t preview starter content “Home” menu item in subdirectory installation
  • #40198 – all previewable links are blocked in the customize preview on IE11
  • #40271 – Use get_user_locale() in Customizer
  • #40277 – Adding page created with the dropdown-pages settings to menu creates Custom Link instead of Page
  • #40308 – Video headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. control fails to use is_header_video_active() for active_callback
  • #40405 – IE9 errors when attempting to generate changeset parameter

Login and Registration

  • #39497 – Can’t log out completely without closing my browser

Media

  • #31071 – media / post_mime_type related queries are very slow on larger sites
  • #40017 – wp_get_image_mime() returns ‘application/octet-stream’ for non-image files.
  • #40075 – Broken video/audio thumbnails because of corrupted blob metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. data
  • #40085 – Audio/video uploads are broken in 4.2.13 and 4.3.9
  • #40152 – Crop Image button off-screen on mobile

Networks and Sites

  • #40036 – Re-save Networknetwork (versus site, blog) Settings ruin starter content
  • #40063 – Handle site cache invalidation more specifically for option updates

Posts, Post Types

  • #39986 – Register missing REST API properties on WP_Post_Type

Quick/Bulk Edit

  • #40242 – Bulk edit tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.) autocomplete layout error

REST API

  • #39854 – Add gmt_offset to base /wp-jsonJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. response
  • #39881WP_REST_Posts_Controller::check_read_permission() should check if $parent exists before calling itself
  • #40027 – Tags and Categories should have a “slugs” parameter for batch fetching
  • #40136 – Issues with dates and DST
  • #40213 – Users endpoint slug parameter should allow an array of slugs

TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.

  • #39987 – Register missing REST API properties on WP_Taxonomy
  • #40154 – Incorrectly formatted $taxonomies parameter passed to wp_get_object_terms filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
  • #40306 – Term cache isn’t cleared completely when setting and removing object terms

Themes

  • #38292 – Introduce exclusion for WP_Theme::scandir()

TinyMCE

  • #40305 – Image popup toolbar does not support Chrome BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.

Download the Release Candidate now and help us test!

#4-7, #4-7-4, #maintenance, #release

Aaron D. Campbell 3:59 pm on February 1, 2017
Tags: , release,   

Disclosure of Additional Security Fix in WordPress 4.7.2

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. Endpoint. Previous versions of WordPress, even with the REST API PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, were never vulnerable to this.

We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.

Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri.

Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild.

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.

We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible. We’d also like to thank the WAFs and hosts who worked closely with us to add additional protections and monitored their systems for attempts to use this exploit in the wild. As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.

#4-7, #release, #security

Garth Mortensen 10:37 pm on January 6, 2017
Tags: , , , release,   

4.7.1 Release Candidate

A Release Candidate for WordPress 4.7.1 is now available. This security and maintenance release fixes 62 issues reported against 4.7 and is scheduled for final release on Wednesday, January 11, 2017. Note this does not address a number of other issues, which are slated for a 4.7.2 release.

Thus far WordPress 4.7 has been downloaded over 9 million times since its release on December 6, 2016. Please help us by testing this release candidate to ensure 4.7.1 fixes the reported issues and doesn’t introduce any new ones. As always, the entire WordPress project is grateful to security reporters for practicing responsible disclosure.

PHPMailer Update

Last month a security vulnerability (CVE 20016-10033) in the PHPMailer library was made public. WordPress uses this library as the basis for its email functionality. The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., or any major plugins in the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.

All Changes

Here’s a list of all closed tickets, sorted by component:

Bootstrap/Load

  • #39132 – WP 4.7, object-cache.php breaks the site if APC is not enabled in php

Build/Test Tools

  • #39327 – Database connection errors in unit tests on 4.7

Bundled Theme

  • #39138 – wordpress 4.7 default theme does not get installed when upgrading
  • #39272 – Twenty Seventeen: Incorrect $content_width
  • #39302 – Twenty Seventeen: Featured imageFeatured image A featured image is the main image used on your blog archive page and is pulled when the post or page is shared on social media. The image can be used to display in widget areas on your site or in a summary list of posts. not displayed on single template
  • #39335 – Twenty Seventeen: customize-controls.js incorrectly assumes theme_options section is always present
  • #39109 – Twenty Seventeen: starter content array needs a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
  • #39489 – Twenty Seventeen: Bump version and update changelog

Charset

  • #37982 – 4.6.1 Breaks apostrophes in titles and utf-8 characters

Comments

  • #39280 – comment permalink wrong in WordPress 4.7
  • #39380 – wp_update_comment can cause database error with new filter

Customize

  • #39009 – CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings.: the preview UIUI User interface language should be the user language
  • #39098 – Customize: Clicking on child elements of preview links fails to abort navigation to non-previewable links
  • #39100 – Customize: Edit shortcuts do not work if page hasn’t been saved and published
  • #39101 – Customize: edit shortcuts for custom menu widgets do not work
  • #39102 – Customize: Shift-click on placeholder nav menu items fails to focus on the nav menu item control
  • #39103 – Customize: menus aren’t deleted
  • #39104 – Customize: starter content home menu item needs to be a link, not a page
  • #39125 – Customize: Video HeaderHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. YouTube field has issues when whitespace is inserted at beginning or end of URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org
  • #39134 – Customize: custom CSSCSS Cascading Style Sheets. textarea is scrolled to top when pressing tab
  • #39145 – custom-background URL escaped
  • #39175 – Customizer assumes url is passed with replaceState and pushState
  • #39194 – Invalidinvalid A resolution on the bug tracker (and generally common in software development, sometimes also notabug) that indicates the ticket is not a bug, is a support request, or is generally invalid. parameters in Custom CSS and Changeset queries
  • #39198 – Customize: Apostrophes in custom CSS cause false positives for validation errors
  • #39227 – Changeset parameter not generated
  • #39259 – ‘custom_css_post_id’ theme mod of `-1` doesn’t prevent queries
  • #39270 – Use a higher priority on wp_head for inline custom CSS
  • #39349 – Customizer (mobile preview) site title extra padding
  • #39444 – Text Decoration Underline removes on hover in Customizer

Editor

  • #39276 – Link Editor bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. – target=”_blank” not removed
  • #39313 – Add New button not disappearing in Distraction-free Writing mode
  • #39368 – .page-template-default body class in editor doesn’t appear in initial post/page load.

External Libraries

  • #37210 – Update PHPMailer to 5.2.21

Feeds

  • #39066 – `fetch_feed()` changes REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. response `Content-Type`
  • #39141 – RSS feeds have incorrect lastBuildDate when using alternate languages

General

  • #39148 – Correct concatenated dynamic hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same.
  • #39433 – Update copyright year in license.txt

HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.

  • #37839 – wp_remote_get sometimes mutilates the response body
  • #37991 – fsockopen logic bug
  • #37992 – fsockopen hard codes port 443 when http scheme used
  • #38070 – RegEx to remove double slashes affects query strings as well.
  • #38226 – “cURL error 23: Failed writing body” when updating plugins or themes
  • #38232 – Setting `sslverify` to false still validates the hostname

Media

  • #39195 – Undefined index: extension in class-wp-image-editor-imagick.php on line 152
  • #39231 – Allow the pdf fallback_intermediate_image_sizes filter to process add_image_size() sizes.
  • #39250 – Undefinded Variable in Media-Modal

Posts, Post Types

  • #39211 – is_page_template could return true on terms

REST API

  • #38700 – REST API: Cannot send an empty or no-op comment update
  • #38977 – REST API: `password` is incorrectly included in arguments to get a media item
  • #39010 – REST API: Treat null and other falsy values like `false` in ‘rest_allow_anonymous_comments’
  • #39042 – REST API: Allow sanitization_callback to be set to null to bypass `rest_parse_request_arg()`
  • #39070 – WP-API JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. client can’t use getCategories for models returned by collections
  • #39092 – REST API: Add support for filename search in media endpoint
  • #39150 – Empty JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. Payload Causes rest_invalid_json
  • #39293 – WordPress REST API warnings
  • #39300 – REST API Terms Controller Dynamic Filter Bug
  • #39314 – WP-API Backbone Client: buildModelGetter fails to reject deferred on fetch error

TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.

  • #39215 – Support for string $args in wp_get_object_terms() broken in 4.7
  • #39328 – Adding terms without AJAX strips “taxonomy” query arg

Themes

  • #39246 – Theme deletion has a JS error that prevents multiple themes from being deleted.

Upgrade/Install

  • #39047 – Installer tries to create nonce before options table exists
  • #39057 – FTPFTP FTP is an acronym for File Transfer Protocol which is a way of moving computer files from one computer to another via the Internet. You can use software, known as a FTP client, to upload files to a server for a WordPress website. https://codex.wordpress.org/FTP_Clients. credentials form doesn’t display the SSH2 fields on the Updates screen

 

#4-7, #4-7-1, #maintenance, #release, #security

Pascal Birchler 1:29 am on April 22, 2016
Tags: , , release   

4.5.1 Release Candidate

A Release Candidate for WordPress 4.5.1 is now available. This maintenance release fixes 11 issues reported against 4.5 and is scheduled for final release next Tuesday, April 26.

Thus far WordPress 4.5 has been downloaded nearly 5 million times since its release on April 12. Please help us by testing this release candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). to ensure 4.5.1 fixes the reported issues and doesn’t introduce any new ones.

Notable Bug Fixes

As noted in the previous post about 4.5.1, there are  two more severe bugs fixed in this release:

  • #36545 – WordPress TinyMCE toolbar/tabs unresponsive in Chrome Version 50.0.2661.75 betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.-m (64-bit) and
  • #36510 – Twenty eleven page templates with widgets incorrectly styled.

All Changes

Only a few components received changes. Here’s a list of all closed tickets, sorted by component:

Build/Test Tools

  • #36498 Shrinkwrap npm dependencies for 4.5

Bundled Theme

  • #36510 Twenty eleven page templates with widgets incorrectly styled

Customize

  • #36457 CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. Device Preview: Use px units for tablet preview size

Database

  • #36629 Database connect functions can cause un-catchable warnings

Editor

  • #36458 Fix support for Safari + VoiceOver when editing inline links

Emoji

  • #36604 Emoji skin tone support test incorrectly passing in Chrome

Feeds

  • #36620 Feeds using an rss-httpHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. content type are now served as application/octet-stream

Media

  • #36501 Fatal error: Undefined class constant 'ALPHACHANNEL_UNDEFINED'
  • #36578 wp_ajax_send_attachment_to_editor() bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority.
  • #36621 Don’t cache the results of wp_mkdir_p() in a persistent cache

Rewrite Rules

  • #36506 Duplicate directives in web.config after WordPress 4.5 installation on Windows

TinyMCE

  • #36545 WordPress TinyMCE toolbar/tabs unresponsive in Chrome Version 50.0.2661.75 beta-m (64-bit)

Update: We’ve released 4.5.1-RC2, which includes the fix for #36629.

#4-5-1, #maintenance, #release

Samuel Sidler 3:25 pm on February 1, 2016
Tags: , 4.4.2, , release   

4.4.2 Release Candidate

A Release Candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). for WordPress 4.4.2 is now available. This maintenance release is scheduled for tomorrow, Tuesday, February 2, but first it needs your testing. This release fixes 17 issues reported against 4.4 and 4.4.1.

WordPress 4.4 has thus far been downloaded over 20 million times since it’s release on December 8. Please test this release candidate to ensure 4.4.2 fixes the reported issues and doesn’t introduce any new ones.

Contributors

Thank you to the following 11 contributors to 4.4.2:

afercia, berengerzyla, boonebgorges, chandrapatel, chriscct7, dd32, firebird75, ivankristianto, jmdodd, ocean90, salvoaranzulla

Fixes

A total of 17 fixes are included in this RCrelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). (trac log). Notable fixes include:

  • #35344 – Strange pagination issue on front page after 4.4.1 update.This was a very visible issue for certain users with specific settings. While remnants of this issue still exist (see #35689), the bulk of it has been fixed and is ready for testing.
  • Comments – A total of 6 issues were fixed within the Comments component.
    • #35419 – Incorrect comment pagination when comment threading is turned off
    • #35402 – per_page parameter no longer works in wp_list_comments
    • #35378 – Incorrect comment ordering when comment threading is turned off
    • #35192 – Comments_clauses filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. (issue)
    • #35478 – 4.4 Regressionregression A software bug that breaks or degrades something that previously worked. Regressions are often treated as critical bugs or blockers. Recent regressions may be given higher priorities. A "3.6 regression" would be a bug in 3.6 that worked as intended in 3.5. on Querying for Comments by Multiple Post Fields
    • #35356 – wp_list_comments ignores $comments parameter

Download & Test

We need your help to ensure there are no issues with the fixes in 4.4.2. Please download the RC and test!

#4-4, #4-4-2, #maintenance, #release

Aaron Jorbin 12:17 am on January 5, 2016
Tags: , 4.4.1, , release   

4.4.1 Release Candidate

A Release Candidaterelease candidate One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta). for WordPress 4.4.1 is now available. This maintenance release is scheduled for Wednesday, January 6, but first it needs your testing. This release fixes 52 issues reported against 4.4.

WordPress 4.4 has thus far been downloaded over 7 million times since it’s release on December 8. Please test this release candidate to ensure 4.4.1 fixes the reported issues and doesn’t introduce any new ones.

Contributors

A total of 36 contributors have contributed to 4.4.1:

Compute, DvanKooten, JPr, KrissieV, SergeyBiryukov, ShinichiN, aaroncampbell, afercia, azaozz, boonebgorges, dd32, dossy, eherman24, gblsm, hnle, igmoweb, jadpm, jeff@pyebrook.com, joemcgill, johnbillion, jorbin, meitar, nacin, netweb, obenland, ocean90, pento, peterwilsoncc, redsweater, rmccue, rogerhub, salcode, smerriman, scottbrownconsulting, stephenharris, swissspidy, tharsheblows, tyxla, voldemortensen, webaware, wonderboymusic, wp-architect

Notable Bug Fixes

Two severe bugs have been fixed. In some cases, users with an out of date version of OpenSSL being used by PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher were unable to use the HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. to communicate with to communicate with some httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. sites. Additionally, posts that reused a slug (or a part of a slug) would be redirected.
The polyfill for emoji support has been updated to support Unicode 8.0. This means that diversity emoji, and other new emoji like 🌮 and 🏒 are fully supported. 

All Changes

Most components have received at least one change. This is a list of all tickets closed, sorted by component.
Continue reading

#4-4, #4-4-1, #maintenance, #release